Average remediation time for critical-severity KEVs improved by 50%, reducing from 60 days to 30 days.

SSL vulnerability remediation times improved significantly, dropping from 200 days in August 2022 to under 50 days in 2024.

66% of IT leaders agree outbound email security doesn’t get as much attention beyond compliance, but it is the silent security killer

Top publicly exposed OT/ICS protocols observed in 2024 included Open Platform Communications Unified Architecture (OPC UA) – 43%, Distributed Network Protocol (DNP) – 22%, Niagara-Fox – 21%, Ethernet/IP – 10%, Modbus – 4%.

When asked if they agree with the statement "We aren't sure if any employees are currently accessing GenAI sites today or what they are doing on these sites," 42% of organizations surveyed said they strongly agree, 40% said they agree, 7% said they neither agree nor disagree, 5% said they disagree, 5% said they strongly disagree.

Five sectors with the highest occurrences of exposed OT protocols were: Government Facilities – 63%, Information Technology – 10%, Energy – 10%, Healthcare and Public Health – 5%, Financial Services – 4%.

28% of federal contractors had at least one observable malware infection or compromised device on their networks in the past year.

Of detected email threats, 11% were able to bypass email gateway scanners in Q3 2024, a 1% decrease compared to Q2 2024.

13.7% of CISOs said their compliance program is a 1 (“Initial: ad-hoc”), and 23% said their program is a 2 (“Established: documented and repeatable”).

Third-party software & IT caused 50% of breaches at insurance companies.

More than a third (37.8% of CISOs) said their relationship between compliance and security is in a phase of simple negotiations.

Employees frequently send the wrong attachment (33%), misaddress emails to unintended recipients (32%), or misuse CC and BCC fields (20%). These mistakes are more likely to happen when employees are tight on time (54%), when they are stressed (40%), or when they feel overwhelmed by too many messages (40%).

Malicious spreadsheets (e.g. XLS, XLSX) totaled 7% of threats detected in Q3 2024.

The top 25% of organizations had at least 21% of their people using genAI apps, while the bottom 1% had just 1.7%.

LockBit's victim count decreased from 176 in May 2024 to only five in December.

25.5% of CISOs assume current GRC processes are not broken.

Phishing attacks in Japan and Singapore rose by 37%.

66.7% of education businesses are challenged by audit readiness and their maturing compliance program.

Other types of data involved in policy violations include: intellectual property (16%), source code (13%), passwords and keys (11%), and encrypted data (1%).

230 million of the breached passwords met standard complexity requirements, including length, capitalisation, numbers and special characters.